Hot!Configuring Inter-VDOM routing over IPsec

Author
kzuk
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
2020/01/28 12:53:28 (permalink) 6.0
0

Configuring Inter-VDOM routing over IPsec

This is diagram of my infrastructure:

VDOMs Public have internet access, VDOMs Secure not.
 
For now VPN IPsec work correctly but only between VDOMs Public. Generally the current configuration works as in the diagram but I have problem with connect VDOMs Secure over IPsec. So my questions is:
  • How should I configure Inter-VDOM routing to connect VDOMs Secure over IPsec?
  • How should I configure Inter-VDOM routing to connect each VDOM with each other over IPsec?
Both devices is FortiGate 100E.
post edited by kzuk - 2020/01/28 13:02:09

Attached Image(s)

#1
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 13:09:12 (permalink)
0
I'm assuming there is no subnet overlaps between all secure vdoms (otherwise this wouldn't work without complicated NAT/VIP combinations). Since those secure vdoms need to go through the public vdom for internet, the routing should be as simple as below:
sec-vdom->pub-vdom: 0/0
pub-vdom->sec-vdom: internal subnets like 172.2, or 4,.255.0/24
#2
kzuk
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 13:33:25 (permalink)
0
Correct me if i'm wrong, but these routes I already have for VDOM-Links configuration. 
 

 

Attached Image(s)

#3
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 13:38:12 (permalink)
0
No, the routes(subnets) I wrote are the destinations of static routes. GW should be the opposite side IP of vdom-link. You must have assigned a /30 for each vdom-link. if sub-vdom has 10.0.0.2/30 the GW is 10.0.0.1 on the pub-vdom.
#4
kzuk
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 14:00:55 (permalink)
0
Ok, I have improved VDOM-Link configuration. I had no address (it was 0.0.0.0/0.0.0.0).
 
However, I don't quite understand the routing you wrote. Which interface should these entries be configured on?
 
For now on site B, VDOM Secure I add:
Dst 0.0.0.0/0; GW 10.0.0.1; Int vlink1
 
On VDOM Public:
Dst 172.4.255.0/24, GW 10.0.0.2; Int vlink0
 
vlink is VDOM-Link connected to VDOM Public and Secure. vlink0 is 10.0.0.1 (Public), vlink1 is 10.0.0.2 (Secure).
 
 
 
#5
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 15:24:03 (permalink)
0
Looks correct. Then at least you should be able ping a device in 172.4.255.0/24 from the pub-vdom. 
#6
kzuk
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 18:47:25 (permalink)
0
Look again on diagram on first post. Ping from which pub vdom? ;)

I need to connect on both ways:
172.1.255.0/24 with 172.2-4.255.0/24
172.2.255.0/24 with 172.3-4.255.0/24
172.3.255.0/24 with 172.4.255.0/24
#7
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/28 21:42:19 (permalink)
0
You asked about routing only accross vdom-link. My suggestion was only for that part. So pinging from local pub-vdom to the local sec-vdom is covered by those routes.
If you haven't done for any routing between two pub-vdoms over the tunnel, that's the next thing you need to figure out. That part is the basic of any IPSec config/routing/policy as if those 172.16.2/4.0/24 were located at those pub-vdoms, which you can find many examples everywhere. Only difference is the local interface is not "internal" or other physical ports, but the vdom-links.
Then you can pass traffic between 172.16.2.0/24 to 172.16.4.0/24 as well as toward the internet.
#8
kzuk
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/29 01:25:19 (permalink)
0
Picture from first post shows the working configuration, so:
 
1. i have IPsec connection between Public VDOMs who has access to internet
2. i have working Inter-VDOM routing (Public - Secure)
 
To be done:
1. Inter-VDOM routing through IPsec tunnel and connect each VDOM to each other. Especially to connect Secure VDOMs. I want to use existing IPsec tunnel to do this.
 
I wrote this in my first post.
 
I already try to create static route and policies to do this but no luck. Even after correcting the Inter-VDOM configuration.
 
#9
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Configuring Inter-VDOM routing over IPsec 2020/01/29 09:07:28 (permalink)
0
I seem to keep writing the same response again and again in the forum as you can find in search. Any IPsec related problem, if something is not directly connected at the termination point of IPSec, comes down to one of three components:
1) phase2 selector sets need to include the all traffic passing through. Your case, all 172.x.255.0/24 combinations. Easiest way is to change it back to the default 0/0<->0/0, which include every combinations.
2) routing THROUGH the tunnel for all subnets for BOTH directions. Make sure you see all subnets for all /24 at both pub pub-vdoms, half into the tunnel interface, and half to local interface/vdom-link. [get router info routing-t all]
3) policies at each section(vdom) allows the traffic for both directions.
 
Then most importantly, you need to know how to debug it if it doesn't work as you intend. Mainly two or three skill you need to learn:
0) check routing-table (get router info routing-t all)
2) sniffing packets at interfaces if the traffic is coming/going through the interface (diag sniffer packet <interface_name> '<expressions_for_filtering>' <output_format>. You can find examples/syntax on the internet. Just remember you have to disable asic offloading at the policies in case it's involved for VPN encryption for those pub-vdoms.
3) "flow debug" to find out WHY those packets are dropped or not going into the tunnel although sniffing shows it's getting into pub-vdom. You can search example/how to on the internet or this forum.
 
#10
Jump to:
© 2020 APG vNext Commercial Version 5.5